re-add branch we dropped in the past (#11030)

* re-add branch we dropped in the past * add the test * test all key types * Update src/rust/src/backend/utils.rs Co-authored-by: Alex Gaynor <[email protected]> --------- Co-authored-by: Alex Gaynor <[email protected]>
pyca · May 27, 2024 · 7f515fc · 7f515fc
1 parent 5dc620d
commit 7f515fc
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 0 deletions.
diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs
@@ -145,6 +145,13 @@ pub(crate) fn pkey_private_bytes<'p>(
     }
 
     if format.is(&types::PRIVATE_FORMAT_TRADITIONAL_OPENSSL.get(py)?) {
+        if cryptography_openssl::fips::is_enabled() && !password.is_empty() {
+            return Err(CryptographyError::from(
+                pyo3::exceptions::PyValueError::new_err(
+                    "Encrypted traditional OpenSSL format is not supported in FIPS mode",
+                ),
+            ));
+        }
         if let Ok(rsa) = pkey.rsa() {
             if encoding.is(&types::ENCODING_PEM.get(py)?) {
                 let pem_bytes = if password.is_empty() {

diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py
@@ -773,6 +773,24 @@ def test_private_bytes_encrypted_pem(self, backend, fmt, password):
         priv_num = key.private_numbers()
         assert loaded_priv_num == priv_num
 
+    @pytest.mark.supported(
+        only_if=lambda backend: backend._fips_enabled,
+        skip_message="Requires FIPS",
+    )
+    def test_traditional_serialization_fips(self, backend):
+        key_bytes = load_vectors_from_file(
+            os.path.join("asymmetric", "PKCS8", "ec_private_key.pem"),
+            lambda pemfile: pemfile.read().encode(),
+        )
+        key = serialization.load_pem_private_key(key_bytes, None, backend)
+        assert isinstance(key, ec.EllipticCurvePrivateKey)
+        with pytest.raises(ValueError):
+            key.private_bytes(
+                serialization.Encoding.PEM,
+                serialization.PrivateFormat.TraditionalOpenSSL,
+                serialization.BestAvailableEncryption(b"password"),
+            )
+
     @pytest.mark.parametrize(
         ("encoding", "fmt"),
         [

diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py
@@ -2432,6 +2432,21 @@ def test_private_bytes_encrypted_pem(
         priv_num = key.private_numbers()
         assert loaded_priv_num == priv_num
 
+    @pytest.mark.supported(
+        only_if=lambda backend: backend._fips_enabled,
+        skip_message="Requires FIPS",
+    )
+    def test_traditional_serialization_fips(
+        self, rsa_key_2048: rsa.RSAPrivateKey, backend
+    ):
+        key = rsa_key_2048
+        with pytest.raises(ValueError):
+            key.private_bytes(
+                serialization.Encoding.PEM,
+                serialization.PrivateFormat.TraditionalOpenSSL,
+                serialization.BestAvailableEncryption(b"password"),
+            )
+
     @pytest.mark.parametrize(
         ("encoding", "fmt"),
         [